Hi This is a very good question that I do not have a good answer to.
It depends on: - Whether there are good regression test suites or not. If it exists and it pass then we are on a safer side. - What the changes are and whether we can oversee that. If they are too intrusive then that is not a good way forward. - Trust. If jbig2dec maintainers have a reputation to never break legacy, then we can trust it more. - Manual testing of course but that takes a lot of time. Best regards // Ola On 1 February 2017 at 05:48, Luciano Bello <[email protected]> wrote: > On Thursday, 26 January 2017 21:05:46 EST Ola Lundqvist wrote: >> > I started to work on fixing jbig2dec/wheezy for >> > https://security-tracker.debian.org/tracker/CVE-2016-9601 but >> > the patch that allegedly fixes the current issue is rather invasive >> > and while looking at the git history you will quickly see >> > that allmost all the changes since the version that we have in wheezy and >> > jessie are potential security issues that were never assigned any CVE: >> > http://git.ghostscript.com/?p=jbig2dec.git;a=shortlog > > Hi Ola and Raphael, > First, sorry for delay in the answer. > About the jbig2dec, how can be sure that we are not breaking user programs > linked to the lib? > > /l -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
